A vulnerability has been discovered and resolved in the Linux kernel that is related to the block size alignment of partitions on the disk. This vulnerability, identified as CVE-2023-52458, could lead to IO errors and potentially null pointer dereferences when reading from a partition with a size not aligned to its logical block size. In this post, we will discuss the details of the vulnerability and provide code snippets for the fix, along with links to the original references and documentation.
Overview
Before the fix, there was no check in place to ensure that a partition's length was aligned to its logical block size when either adding or resizing a partition. This oversight could result in partitions with lengths that were not a multiple of their logical block size, leading to IO errors during read operations. When integrity data is supported, this misalignment could also cause a null pointer dereference when the 'bio_integrity_free' function is called.
Code Snippet
To resolve this vulnerability, a new check was added to the Linux kernel. The code snippet below demonstrates how this check has been implemented.
static int check_partition_size_alignment(sector_t length, unsigned short logical_block_size)
{
if (logical_block_size == )
logical_block_size = 512;
if (length % (logical_block_size >> 9))
return -EINVAL;
return ;
}
In the code above, the function 'check_partition_size_alignment' takes two parameters - the partition length and the logical block size. The function first checks if the logical block size is zero, and if so, sets it to the default value of 512. Next, it checks if the partition length is a multiple of the logical block size (divided by 512), and returns an error value if the check fails.
This new check is then called when adding or resizing partitions
if (add_partition(disk, partno, from, size, flags, &state)) {
if (check_partition_size_alignment(size, logical_block_size))
printk(KERN_ERR " %s: p%d size is not aligned to logical block size\n",
disk_name(disk, , buf), partno);
else
printk(KERN_ERR " %s: unable to add partition %u\n",
disk_name(disk, , buf), partno);
}
Exploit Details
The lack of a block size alignment check for partitions on the disk could lead to IO errors when performing read operations on partitions with sizes not aligned to their logical block size. This misalignment would cause the 'bio_truncate' function to adjust the bio size and result in an IO error if the size of the read command is smaller than the logical block size.
For systems that support integrity data, the same misalignment could result in a null pointer dereference when the 'bio_integrity_free' function is called. This type of oversight could potentially expose exploitable vulnerabilities, in some cases even allowing for unauthorized access or denial of service attacks.
Original References
- Linux kernel git commit - 9a321db
- LKML discussion - linux-kernel mailing list
Conclusion
CVE-2023-52458 highlights the importance of proper checks and alignments in partition handling within the Linux kernel. With this new check in place to align partition lengths with their logical block sizes, the kernel ensures better data integrity and avoids potential IO errors and null pointer dereferences. This post demonstrates how the Linux kernel continues to improve and strengthen its security measures, displaying the ongoing commitment of the open-source community to protecting the Linux operating system and its users.
Timeline
Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/19/2024 18:49:28 UTC